Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 433
Alerts This Week
Warning Icon 1 433

Ubuntu 14.10 & 14.04 LTS: USN-2495-1 Moderate Oxide Exploits

ubuntu
Calendar Grey February 10, 2015
Dist Ubuntu Esm H88
Ubuntu addresses significant security flaws in web software as detailed in Security Notice USN-2495-1. Critical patches for Oxide help mitigate vulnerabilities.
Several security issues were fixed in Oxide.

Summary

Several security issues were fixed in Oxide.

Software Description:

- oxide-qt: Web browser engine library for Qt (QML plugin)

Details:

A use-after-free bug was discovered in the DOM implementation in Blink. If

a user were tricked in to opening a specially crafted website, an attacker

could potentially exploit this to cause a denial of service via renderer

crash or execute arbitrary code with the privileges of the sandboxed

render process. (CVE-2015-1209)

It was discovered that V8 did not properly consider frame access

restrictions when throwing exceptions in some circumstances. If a user

were tricked in to opening a specially crafted website, an attacker could

potentially exploit this to bypass same origin restrictions.

(CVE-2015-1210)

It was discovered that Chromium did not properly restrict the URI scheme

during ServiceWorker registration. If a user were tricked in to

downloading and opening a specially crafted HTML file, an attacker could

potentially ...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  liboxideqtcore0                 1.4.3-0ubuntu0.14.10.1
  oxideqt-codecs                  1.4.3-0ubuntu0.14.10.1
  oxideqt-codecs-extra            1.4.3-0ubuntu0.14.10.1

Ubuntu 14.04 LTS:
  liboxideqtcore0                 1.4.3-0ubuntu0.14.04.1
  oxideqt-codecs                  1.4.3-0ubuntu0.14.04.1
  oxideqt-codecs-extra            1.4.3-0ubuntu0.14.04.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2495-1

CVE-2015-1209, CVE-2015-1210, CVE-2015-1211, CVE-2015-1212

February 10, 2015

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.